Nursery and early years sector: COVID-19 restrictions and consumer law
How does consumer law apply to arrangements with parents during the current pandemic?Read more
It’s nearly two years now since GDPR came into force so this is a good time to reflect on some of the lessons we have learnt advising schools and academies on compliance during that time.
This is the first in a series of reflections and we have started with data protection officers as 2018 marked the point where this new role came onto the education radar, presenting a novel challenge for many.
Most of you will have been fortunate enough to be have been able to appoint your DPO at or shortly after GDPR came into force. However, we have seen over the last two years that finding the right person to fill the role can be difficult and that many of the schools and academies that we work with have been forced (through resignations) or have chosen (as part of regular data protection reviews) to look again at the appointment they made.
It is no surprise that filling the role of DPO can be difficult given that they must:
Whilst the expertise requirements are difficult enough to meet, this last point can be the hardest to comply with. In effect, it means that the DPO cannot hold a position that leads him or her to decide how you handle personal data. Because of this, we do not feel that a governor, headteacher or director of an academy or MAT can be the DPO as there is a real risk of a conflict of interest between their work in one role (where they are a decision-maker) and the other (which requires strict independence). In light of this, we have found that a lot of organisations are looking again at their appointments and choosing external advisors as their DPO.
If you have any questions about data protection or there are any subjects you would like us to cover in future updates, please contact us on 01332 226 466 or complete the form below.
Scroll to next section
Scroll back to the top